Coinbase users’ real names, emails ‘leak’ online due to API function

Update: Coinbase has issued a statement on the “hack” and continues to downplay its importance and severity:

“Specifically with regard to the ‘request money’ feature of Coinbase, it is highly inaccurate to suggest that names or emails were leaked or that there has been a breach,” the company says. It adds:

While not ‘unlimited,’ it is intentional that Coinbase users are able to send invoices to an arbitrary number of email addresses. Allowing lists to be invoiced is core functionality of our service, and this functionality is intentionally built into our API. This process simply sends an email with a request. It does not initiate any bitcoin transfer without confirmation from the recipient, and would not be any more effective than more traditional phishing methods, which we spend a considerable amount of time preventing.

You can read the full exchange here.

Users of Bitcoin exchange Coinbase, beware: anybody who can guess your email address can easily get your full name, too.

An anonymous hacker has posted the email addresses and real names of more than 2,000 users, paired with their email address, to Pastebin, and claimed to own a “full list” of every single customer.

A source with knowledge of the situation told the Daily Dot that Coinbase does not believe such a list exists. The company does, however, publicly acknowledge the crux of the hacker’s findings: that anyone with a Coinbase account can send a request for money to literally any email address. If that email address is registered to a Coinbase account, the name associated with the account will appear in the pending transaction.

As a result of this function of Coinbase’s API, anyone who knows your email address can both confirm that you have a Coinbase account and obtain the name associated with that account. A person familiar with Coinbase’s private operations says the author of the Pastebin post likely compiled the list of emails and names using this aspect of the Coinbase API, and did not “hack” into Coinbase’s system.

Addressing the issue on the the forum Hacker One, Coinbase said “We’ve spent a good amount of time investigating this behavior and we believe that the risks are incredibly minor.” Coinbase also noted that it doesn’t require users use their real full name in their account.

Knowledge of the potential problem comes from that Hacker One post’s author, Shubham Shah, who seeks out software vulnerabilities. Shah has been in open contention with Coinbase the past few days about this issue: tweeting about, giving interviews, and even gif-ing the process. On Monday, he posted a blog post detailing how he does it. “I have tried my best to get these bugs fixed,” he wrote. “I mean no harm by posting this, but rather wish to inform Coinbase users.”

Coinbase is adament that it’s not a real hack, tweeting that the company “is, as always, secure–despite April Fools Day speculation.” Despite the reassurance, at least some Coinbase users claim to have received “phishing emails” following publication of the Coinbase user list.

It’s unclear if Shah had anything to do with the list of 2,000 names and email addresses, or if it was compiled by someone who ran with his ideas. Shah didn’t immediately respond to the Daily Dot’s request for comment—but to be fair, he’s apparently in Australia, and it’s the middle of the night there.

A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.